Lapsus$ hack on Okta system only lasted for 25 minutes but it compromised the trust of the identity and access management firm's customers.
Okta confirmed that the hacker group Lapsus$ accessed a support engineer's system at Sitel, a third-party Okta service provider, during the January 16-21 breach.
According to the official statement posted in the website of Okta, Chief Security Officer David Bradbury said that after a thorough analysis, they have concluded that only a small percentage of customers, have potentially been impacted and whose data may have been viewed or acted upon.
Bradbury said that they have identified the customers and already reached out directly by email.
Lapsus$ Breach Impact is Significantly Smaller Than Expected
BleepingComputer reported that based on the final forensic report, the attacker only accessed the two active customer tenants after gaining control of a single workstation used by an engineer working for Sitel.
"During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants," Bradbury relayed in a statement made on Tuesday.
He added that the threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support 'impersonation' events.
Okta said that they would ensure that their services providers comply with new security requirements, including adopting Zero Trust security architecture and authenticating via Okta's IDAM solution for all workplace apps, as per the BleepingComputer report.
Okta admitted that they made a mistake of delaying the disclosure of the January breach because they are not yet aware of the extent of the incident and its impact on customers.
The identity and access management firm began investigating claims of a breach after Lapsus$ shared screenshots in a Telegram channel implying they had hacked Okta's customer networks.
Read Also: Lapsus$ Not Yet Dead as Software Company Globant Becomes Latest Victim
Okta Provides Customers With Final Forensic Report
After Okta reached the conclusion of their investigation, they have provided the Okta customers who were impacted with the hack with the final forensic report. This was prepared for Okta by a globally recognized cybersecurity forensic firm.
According to Okta's statement in their website, they also provided the Okta Security Action Plan, which outlines Okta's short and long term steps to strengthen the security of our third-party processors with access to customer support systems.
Okta responded with transparency when they first became aware that the threat actor on March 21, 2022. They shared what they knew at the time.
"On March 22, 2022, they began notifying the maximum number of potentially impacted customers, which we scoped by examining all of the access performed by all Sitel employees to the SuperUser application during the 5-day window." Okta said.
They held meetings that included Okta Security staff to help customers understand their log data, and they shared logs from the SuperUser app with each of these customers.
"We have done this to demonstrate our commitment to rebuilding their trust and to working alongside them to reaffirm the security of their Okta service." Okta explained.
Related Article: Okta Confirms 'Small Percentage of Customers' Possibly Affected by LAPSUS$ Hack After Initially Denying Breach